OpenManage Integration for Microsoft System Center Version 7.3 for Microsoft Endpoint Configuration Manager and System Center Virtual Machine Manager Security Configuration Guide June 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2009 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Tables........................................................................................................................................... 5 Chapter 1: PREFACE..................................................................................................................... 6 Chapter 2: Security Quick Reference............................................................................................ 8 Deployment models......................................................................
Chapter 4: Miscellaneous Configuration and Management........................................................... 23 OpenManage Integration for Microsoft System Center Version 7.3 for Microsoft Endpoint Configuration Manager and System Center Virtual Machine Manager (OMIMSSC) licensing ................ 23 Manage backup and restore in OMIMSSC..................................................................................................................23 PowerShell Permission................................
Tables 1 Revision History.......................................................................................................................................................... 7 2 Pre-loaded accounts and default credentials.................................................................................................... 15 3 User accounts with required privileges...............................................................................................................
1 PREFACE As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware. Some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your Dell EMC technical support professional if a product does not function properly or does not function as described in this document.
Table 1. Revision History Revision Date Description A00 June 2021 Initial release of the OpenManage Integration for Microsoft System Center Version 7.3 for Microsoft Endpoint Configuration Manager and System Center Virtual Machine Manager Security Configuration Guide. Related documentation In addition to this guide, you can access the other guides available at https://www.dell.com/support. Click Browse all products, then click Software > Enterprise Systems Management.
2 Security Quick Reference Topics: • • • Deployment models Virtual Hard Disk (VHD) and Open Virtual Appliance (OVA)deployment Security profiles Deployment models You can deploy OpenManage Integration for Microsoft System Center Version 7.3 for Microsoft Endpoint Configuration Manager and System Center Virtual Machine Manager (OMIMSSC) as an VHD and OVA in Hyper V and ESXi environment as applicable.
3 Product and Subsystem Security Topics: • • • • • • • • • • • • Security Controls Map Authentication Login security settings Authentication types and setup considerations User and credential management Network security Data security Cryptography Auditing and logging Serviceability OMIMSSC Operating System update Product code integrity Security Controls Map OMIMSSC performs deployment, inventory, and update of PowerEdge and MX 7000 chassis using iDRAC.
Security Controls Map Authentication Access control Access control settings provide protection of resources against unauthorized access. OMIMSSC plug-in pages accessed by Microsoft System Center console users with appropriate roles and privileges configured in Microsoft Active Directory. OMIMSSC administration console access is given to OMIMSSC appliance admin account. For more information on roles and privileges see, User Credential Management and Authorization.
This account can be used during troubleshooting to view critical appliance status and logs. Root account OMIMSSC appliance has Operating System root account. This default account is not accessible. Technical support team will require root account to debug the field issues. For more information about roles and privileges see, User and credential management.
Failed login behavior OMIMSSC includes security settings when there are multiple unsuccessful authentication occurrences. For invalid login attempts the user prompted with User Name or Password is incorrect message. Local user account lockout After 3 consecutive failed attempts to login to the local user account, OMIMSSC temporarily locks out the user for a period of one minute.
OMIMSSC admin operations for setup Admin account perform following operations to integrate with Microsoft System Center Consoles. Download OMIMSSC console extension 1. Log in to the OMIMSSC admin portal by using admin user and password. Admin Portal URL: https:// 2. Click Downloads and click Download Installer to download the required console extension. For more information about download OMIMSSC console extension, seethe OpenManage Integration for Microsoft System Center Version 7.
Launch OMIMSSC console extension for Microsoft System Center Consoles Microsoft System Center Console user must have the Microsoft System Center access and privilege to launch the OMIMSSC Console Extension. OMIMSSC console extensions in case of MECM and Add-in plugin in case of SCVMM create appropriate folders on the host. For more information about launching console extension, seethe OpenManage Integration for Microsoft System Center Version 7.
User and credential management OMIMSSC Appliance administration OMIMSSC appliance comes with default pre-loaded accounts and does not support custom accounts. Pre-loaded accounts The following table describes the pre loaded OMIMSSC accounts: Table 2. Pre-loaded accounts and default credentials User Account User Name Password Description Admin User admin Set on first boot after deployment. For more information about changing admin password, see Change OMIMSSC appliance password.
The screen to change password is displayed. 3. Provide your present password, and then provide a new password matching the listed criteria. Re-enter the new password and click Enter. The status after changing the password is displayed. 4. To come back to home page, click Enter. NOTE: Appliance will reboot after changing the password.
Infrastructure administration using Microsoft System Center Console Microsoft System Center user account privileges All the required account privileges to use OMIMSSC are as follows: U ser must be member of the following groups in System Center Consoles for Account privileges to use OMIMSSC console extension. Table 3. User accounts with required privileges Users Privileges/Roles For enrollment ● Account used to enroll the MECM console with OMIMSSC should be a full admin or an administrator in MECM.
Table 4. Ports OMIMSSC uses for listening (continued) Port Protocol Number s Port Type Source Directi on Destination Usage Description 111 HTTPS TCP iDRAC In OMIMSSC Appliance NFS Used to determine the address of the NFS. 443 HTTPS TCP OMIMSSC Admin Console and OMIMSSC Plugin Integrated Dashboard In OMIMSSC Appliance HTTPS server OMIMSSC Admin Console launched on remote browser & OMIMSSC Plugin Integrated Dashboard of MECM & SCVMM uses this port to connect with OMIMSSC Appliance.
Table 5. Ports OMIMSSC uses as client (continued) Port Number Protocols Port Type Source Direction Destination Usage Description 2049 NFS TCP/UDP OMIMSSC Appliance Out OMIMSSC Appliance Public Share NFS public share that is exposed by OMIMSSC appliance to the managed nodes and used in firmware update and operating system deployment flows.
Sensitive Data Migration About this task While migrating from old appliance the old data will be stored as backup file, the key-store and password will be exported as part of backup procedure. While restoring the data on new appliance, the sensitive data will be re-encrypted using new encryption key. For additional security, admin user provided password is used to protect the exported backup files. Following are the steps to migrate data: Steps 1. Backup the OMIMSSC appliance data using Admin portal.
Auditing and logging Appliance logs Appliance logs display all OMIMSSC Appliance-specific log messages such as restarting OMIMSSC appliance. You can view this category of messages only from OMIMSSC Admin Portal. For more information on specific logs and filters see, Jobs and Log Center section in OpenManage Integration for Microsoft System Center Version 7.3 for Microsoft Endpoint Configuration Manager and System Center Virtual Machine Manager Version 7.3 User's Guide.
OMIMSSC Operating System update Periodically, security patches and fixes are released for the OMIMSSC Operating System. These fixes must be installed on existing VHD and OVA deployments of OMIMSSC through RPM update package. When available, it is highly recommended that you install these security patches and fixes on the OMIMSSC server through RPM update. Product code integrity The OMIMSSC software installer is signed by Dell. Download software install from www.downloads.dell.com.
4 Miscellaneous Configuration and Management Topics: • • • • OpenManage Integration for Microsoft System Center Version 7.3 for Microsoft Endpoint Configuration Manager and System Center Virtual Machine Manager (OMIMSSC) licensing Manage backup and restore in OMIMSSC PowerShell Permission Configuring user access to WMI for MECM OpenManage Integration for Microsoft System Center Version 7.
● In PowerShell run the command: PSRemoting. If the PSRemoting command is disabled, run enable the PSRemoting command using the following commands. ○ Run the command: Enable-PSRemoting. ○ In the confirmation message, type Y. ● In PowerShell, run the command: Get-ExecutionPolicy. If the policy is not set to RemoteSigned, then set it to RemoteSignedusing the following commands. ○ Run the command: Set-ExecutionPolicy RemoteSigned. ○ In the confirmation message, type Y.